1

I have an application that I want to run as a service on system-start, and that application should run as a specific user (the application is Apache Karaf). I have all this setup, but the user I am using for this has a password, so every time the service is started, the password of that user has to be entered.

I currently have a user with the following entries in /etc/passwd and /etc/shadow:

# /etc/passwd
karaf-test-user:x:1002:1002::/home/karaf-test-user:/usr/sbin/nologin

# /etc/shadow
karaf-test-user::15659:0:99999:7:::

As far as I can see this user does not have a password set, it cannot log in, but it does have a home-directory (this is required for the application). However, when I type:

/etc/init.d/karaf-service start

I am prompted for the password of that user. How can I prevent this? How can I modify this user to not require a password at this point? I have found this answer, but it seems hacky to me. Is this really the only way? Are there any best practices to respect?

I am running on Ubuntu 12.04.1.

1 Answers1

1

The way I settled upon was to create the dedicated user with password, but always manage the service as root, which does not require a password for su. To make this secure, I have created a group karaf-admins and added the following entry to sudoers:

%${KARAF_ADMINS} ALL=NOPASSWD: /etc/init.d/karaf-service

This allows members of that group to run commands like sudo /etc/init.d/karaf-service start as root without entering a password. The karaf-service-script itself will then switch to the dedicated user I have setup. As long as users in karaf-admins are not allowed to edit the service-script or the symlink (which they shouldn't be), this is perfectly safe.